DSCI THREAT INTELLIGENCE AND RESEARCH INITIATIVE THREAT ADVISORY APRIL-MAY 2021 2 RECENT THREATS
DarkSide Ransomware
Karla404 Ransomware
Ragnarok Ransomware
LockBit Ransomware
TI&R © Data Security Council of India 2021 Threat Advisory 3
THREAT IDENTIFICATION: DTIN0045 DARKSIDE RANSOMWARE SYNOPSIS: The DarkSide ransomware and its affiliates have launched a global crime spree affecting organizations in more than 15 countries. The origins of these incidents are not monolithic. DarkSide ransomware operates as a ransomware-as-a-service (RaaS) wherein profit is shared between its owners and partners, or affiliates, who provide access to organizations and deploy the ransomware.
Execution and Propagation: STEP 1: The attacker finds the internet exposed applications and devices using vulnerability CVE 2021 with the help of advanced search engines such as Shodan.
STEP 2: After finding available and vulnerable devices, the attacker tries to get into the system using SQL injection, brute force and password spraying attack on corporate VPN.
STEP 3: Upon successful login, the attacker interacts with various legitimate accounts and creates a domain account with “SPServices “.
STEP 4: In this step, the attacker uses cobalt strike framework, BEACON payload and F-secure C3 to establish a Command-and-control server connection.
hxxps://104.193.252[.]197:443/ hxxps://162.244.81[.]253:443/ hxxps://185.180.197[.]86:443/ hxxps://athaliaoriginals[.]com/ hxxps://lagrom[.]com:443/font.html hxxps://lagrom[.]com:443/night.html hxxps://lagrom[.]com:443/online.html hxxps://lagrom[.]com:443/send.html hxxps://lagrom[.]com/find.html?key=id#-
TI&R © Data Security Council of India 2021 Threat Advisory 4
STEP 5: After creating a foothold on the IT network, the attacker tries to elevate the privileges using MIMIKATZ tool and also exploits MS-NRPC (CVE 2020-1472).
STEP 6: After elevating privileges, the attacker performs internal reconnaissance using build-in windows utility and other commands. The attacker uses BEACON payloads to avoid detection in logs.
STEP 7: In this step, the attacker tries to bypass the firewall using the NGROK utility and enable RDP- like services to expose the system to the open internet.
STEP 8: The attacker exfiltrates data over SFTP using Rclone to cloud system. Rclone is a command-line utility to exfiltrate data on the cloud system.
STEP 9: In this step, the attacker uses the PS Exec tool to list the host that contains maximum files. Further, it deploys ransomware encrypter and copies all the binary files to the following directories: C:\run\ C:\home\ C:\tara\ C:\Users\[username]\Music\ C:\Users\Public
Ransome Note ------[ Welcome to Dark] ------> What happened? ------Your computers and servers are encrypted, backups are deleted. We use strong encryption algorithms, so you cannot decrypt your data. But you can restore everything by purchasing a special program from us - a universal decryptor. This program will restore all your network. Follow our instructions below and you will recover all your data.
TI&R © Data Security Council of India 2021 Threat Advisory 5
Data leak ------First of all, we have uploaded more than 100 GB of data Example of data: -Accounting data -Executive data -Sales data -Customer Support data -Marketing data -Quality data -And more other... Your personal leak page: http://darksidedxcftmqa.onion/blog/article/id/6/
TI&R © Data Security Council of India 2021 Threat Advisory 6
IOCS Created files %CD%\LOG
Registry Artifacts HKCR\
UAC Bypass Elevation:Administrator!new: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
Encoded Commands root/cimv2 SELECT * FROM Win32_ShadowCopy Win32_ShadowCopy.ID='%s'
HASH: MD5 04fde4340cc79cd9e61340d4c1e8ddfb 0e178c4808213ce50c2540468ce409d3 0ed51a595631e9b4d60896ab5573332f 130220f4457b9795094a21482d5f104b 1a700f845849e573ab3148daef1a3b0b 1c33dc87c6fdb80725d732a5323341f9 222792d2e75782516d653d5cccfcf33b 29bcd459f5ddeeefad26fc098304e786 3fd9b0117a0e79191859630148dcdc6d 47a4420ad26f60bb6bba5645326fa963
TI&R © Data Security Council of India 2021 Threat Advisory 7
4d419dc50e3e4824c096f298e0fa885a 5ff75d33080bb97a8e6b54875c221777 66ddb290df3d510a6001365c3a694de2 68ada5f6aa8e3c3969061e905ceb204c 69ec3d1368adbe75f3766fc88bc64afc 6a7fdab1c7f6c5a5482749be5c4bf1a4 84c1567969b86089cc33dccf41562bcd 885fc8fb590b899c1db7b42fe83dddc3 91e2807955c5004f13006ff795cb803c 9d418ecc0f3bf45029263b0944236884 9e779da82d86bcd4cc43ab29f929f73f a3d964aaf642d626474f02ba3ae4f49b b0fd45162c2219e14bdccab76f33946e b278d7ec3681df16a541cf9e34d3b70a b9d04060842f71d1a8f3444316dc1843 c2764be55336f83a59aa0f63a0b36732 c4f1a1b73e4af0fbb63af8ee89a5a7fe c81dae5c67fb72a2c2f24b178aea50b7 c830512579b0e08f40bc1791fc10c582 cfcfb68901ffe513e9f0d76b17d02f96 d6634959e4f9b42dfc02b270324fa6d9 e44450150e8683a0addd5c686cd4d202 f75ba194742c978239da2892061ba1b4 f87a2e1c3d148a67eaeb696b1ab69133 f913d43ba0a9f921b1376b26cd30fa34 F9fc1a1a95d5723c140c2a8effc93722
TI&R © Data Security Council of India 2021 Threat Advisory 8
RECOMMENDATIONS: Enable multi-factor authentication to access IT and OT networks Deploy strong endpoint protection for mal–spam defence Apply network segmentation for IT and OT network Limit exposure of application and services to the internet Enable secure access mechanism for remote connections Embrace Zero Trust Network and Zero Trust Network Access Backup critical data, application, firmware, etc Activate Threat Intelligence and Hunting Program within an organization Focus on spare backup hardware
TI&R © Data Security Council of India 2021 Threat Advisory 9
THREAT IDENTIFICATION: DTIN0046 KARLA404 RANSOMWARE SYNOPSIS: This malware is the type of ransomware where all files are encrypted and making them inaccessible to the user. The attacker asks for ransom in exchange for data access. Karla404 is another variant of the ZEPPELIN ransomware family.
Execution and Propagation: STEP 1: Malware spreads via multiple vectors. This malware mainly propagates through malicious email attachments, web links, malicious spam emails, software crackers, malicious ads, torrent files, etc. Once click on such links, malware downloads into the victim’s machine.
STEP 2: Upon execution, the malware starts to encrypt all files and add an extension ".@Karla404" with the victim's id to all files. For example, the victims id here is 2D0- 876-029
Fig 2.1: Encrypted Files
TI&R © Data Security Council of India 2021 Threat Advisory 10
STEP 3: Once encryption process is completed, malware drops a ransom note in every affected folder ("!!! ALL YOUR FILES ARE ENCRYPTED!!!.TXT")
Fig 2.2: Ransom Note
CHARACTERISTICS: Malware communicates via encrypted channels. Malware adds unique ID to every machine for the identification of a victim.
RECOMMENDATIONS: If any system is affected, disconnect it from the network immediately Secure ports and services that are exposed on the internet Don’t click on untrusted email attachments or web links Download software and contents from trusted sources only Use CDR and similar technologies for better protection Ensure data backup for critical files
TI&R © Data Security Council of India 2021 Threat Advisory 11
THREAT IDENTIFICATION: DTIN0047 RAGNAROK RANSOMWARE SYNOPSIS: Ragnarok is a malicious application that encrypts the data and ask for ransom in exchange of data access .
Execution and Propagation: STEP 1: This malware spreads via P2P sharing of files, untrusted attachments, web- links, torrent files and malicious ads.
STEP 2: Upon execution, the malware encrypts all files present on the system and adds the extension “.ragnarok_cry" to all files.
STEP 3: Malware ensures the completion of the encryption process and creates text files as a ransom note cum instructions for the user on how to pay ransom in exchange for file access.
TI&R © Data Security Council of India 2021 Threat Advisory 12
CHARACTERISTICS: The attacker leaves no traces by using an encrypted communication channel. The attacker does not use any command & control server which makes it hard to trace the attacker.
RECOMMENDATIONS: Enforce strong email security mechanism and policies Don’t click on untrusted web links and attachments Don't download any software and freeware from untrusted sources Use CDR and similar technologies to enhance security Ensure data backup for critical files
TI&R © Data Security Council of India 2021 Threat Advisory 13
THREAT IDENTIFICATION: DTIN0048 LOCKBIT RANSOMWARE SYNOPSIS: LockBit is a malicious application classified as Ransomware that exploits commonly available protocols. Initially, it's known as ABCD malware due to malware uses the ".ABCD " extension.
Execution and Propagation: STEP 1: This malware infiltrates the system via various vectors such as email attachments, social engineering, cracked software, etc.
STEP 2: After execution, the malware tries to capture saved/authenticated credentials, if not succeeded, malware brute force to elevate the rights. It checks the user type, if it's a non-admin account, then malware bypasses UAC to gain control.
STEP 3: In this step, the malware gathers data regarding SMB share from the system and tries to write files over the network using the WMI script. On successful execution, script files are written to WINDOWS/Temp directory with filenames such as *eck[0- 9]?.exe
STEP 4: After completion of the necessary process, the malware starts encryption and append the extension ".lockbit" to all files.
TI&R © Data Security Council of India 2021 Threat Advisory 13
STEP 5: After completion of the encryption process, the malware drops a ransom note "Restore-My-Files.txt" in affected folders.
TI&R © Data Security Council of India 2021 Threat Advisory 14
CHARACTERISTICS: Due to fewer dependencies on other processes, the malware infects and propagates at a fast pace. To make detection and control difficult, the malware executes all process simultaneously. To maintain anonymity, the malware uses the ".onion" website instead of the command-control server.
IOCS Restore-My-Files.txt: Ransom note, written to each folder containing an encrypted file (File Extension :.lockbit)
Filenames of executable drive writes Windows\Temp\eck2.exe Windows\Temp\eck3.exe Windows\Temp\eck4.exe Windows\Temp\eck5.exe Windows\Temp\eck6.exe Windows\Temp\neweck.exe
HASH: SHA 256 e3f236e4aeb73f8f8f0caebe46f53abbb2f71fa4b266a34ab50e01933709e877 0f178bc093b6b9d25924a85d9a7dde64592215599733e83e3bbc6df219564335 1b109db549dd0bf64cadafec575b5895690760c7180a4edbf0c5296766162f18 26b6a9fecfc9d4b4b2c2ff02885b257721687e6b820f72cf2e66c1cae2675739 69d9dd7fdd88f33e2343fb391ba063a65fe5ffbe649da1c5083ec4a67c525997 0a937d4fe8aa6cb947b95841c490d73e452a3cafcd92645afc353006786aba76 1e3bf358c76f4030ffc4437d5fcd80c54bd91b361abb43a4fa6340e62d986770 5072678821b490853eff0a97191f262c4e8404984dd8d5be1151fef437ca26db ca57455fd148754bf443a2c8b06dc2a295f014b071e3990dd99916250d21bc75
TI&R © Data Security Council of India 2021 Threat Advisory 15
RECOMMENDATIONS: Don’t download software from untrusted sources Use strong passwords and MFA Clean out outdated and unused accounts Secure UAC and control measures Use secure design mechanism and protocol wherever necessary Ensure data backups for critical files
TI&R © Data Security Council of India 2021 Threat Advisory ABOUT DSCI
Data Security Council of India (DSCI) is a not-for- profit, industry body on data protection in India, set up by NASSCOM®, committed to making cyberspace safe, secure and trusted by establishing best practices, standards and initiatives in cybersecurity and privacy. DSCI works together with the Government and their agencies, law enforcement agencies, industry sectors including IT-BPM, BFSI, CII, Telecom, industry associations, data protection authorities and think tanks for public advocacy, thought leadership, capacity building and outreach initiatives.
CONTACT US Data Security Council of India (DSCI) 4th Floor, NASSCOM Campus, Plot No. 7-10, Sector 126, Noida, UP -201303
Follow us: Twitter | LinkedIn
SCAN THE QR FOR MORE UPDATES